We do something similar when preparing apps for backups, we block NEW incoming connections
from our load balancers with a TCP Reset:
iptables -A INPUT -p tcp --dport $appport --source $loadbalancerhost -m state --state NEW
-j REJECT --reject-with-tcp-reset
That seems to clue the load balancers in pretty fast that this node is no longer
available, and allows for ESTABLISHED connections to continue - and we can safely perform
local operations like when we wait for the app to finish starting and then unblock those
(Not directly related to OpenLDAP, but interesting for sysadmins who manage it.)
From: openldap-technical [mailto:firstname.lastname@example.org] On Behalf Of
Sent: Monday, February 15, 2016 7:32 AM
To: Hallvard Breien Furuseth <h.b.furuseth(a)usit.uio.no>;
Subject: Re: Shutting down some slapd listeners
Hallvard Breien Furuseth wrote:
Sometimes I want slapd to stop listening for new connections
to ldap:// and ldaps://, but keep listening to ldapi://,
for maintenance before shutdown.
One way would be to extend the 'gentlehup' config option
with a list of which URIs it should affect. Or we could
add some sort of 'command language' to cn=config/cn=monitor.
Or should I play some temporary tricks with iptables or whatever,
so new connections never reach slapd? I've never tried that.
Yupp. I'd implement that with temporary local firewall rules suppressing TCP SYN
packets. On Linux: iptables --syn. Local firewall rules are a good idea anyway.
“This message is intended only for the use of the addressee(s) and may contain information
that is PRIVILEGED and CONFIDENTIAL. If you are not the intended recipient(s), you are
hereby notified that any dissemination of this communication is strictly prohibited. If
you have received this communication in error, please erase all copies of the message and
its attachments and notify the sender immediately.”